Safe Machinery Design: Minimizing Risk in the Plant

Awareness of new design standards that increasingly call for safety to be “built-in” to modern machinery can help with purchase decisions and repairs.

Today’s automated machinery—which includes all equipment driven by an electric motor—is designed to operate at considerably higher speeds than in the past. But in the race to meet production deadlines and budgets, safety must never be an afterthought. The basic “safe” function is to ensure that the motor does not get power to rotate. Most manufacturing machinery uses electric motors to produce, package or transfer products. These machines can quickly cause injury if someone puts a body part or clothing into the machine while it operates. Machine and operator safety must be considered at all stages of a machine’s service life, from design and commissioning to operation and maintenance. The least effective, most costly safety fixes are those made after a machine has been commissioned and problems arise.

Operating safely at higher performance dynamics calls for uniform safety concepts. In the design stage, mechanical engineers are bound by safety standards and must know how they may affect their designs. It is also helpful for maintenance professionals to understand the application ranges and know how standards differ and overlap because maintenance is often involved in purchase decisions for new machines. Also, this group’s experience working on machinery that lacks modern safety features gives them a unique perspective on what truly makes machinery safe.

The comprehensive Machinery Directive (MD) 2006/42/EC, effective in 2010, defines requirements for machines intended to be sold in the European Economic Area (EEA). When a machine is built, mechanical engineers must confirm that MD requirements are met, indicated by a “CE” mark affixed to the machine. Though other, less comprehensive standards exist, the new European MD is designed to ensure consistent global standards of safety—commonly referred to as harmonization.

In the field of machine and systems engineering, ISO standard EN ISO 13849-1 is applied to the safety-related parts of control systems and all types of machines, regardless of the technology and energy used. This standard gives machine builders and plants new parameters for defining safety. But regardless of the standard an engineer chooses to follow, probability calculations are now required to verify the reliability of the safety-related parts of machine controls. For this reason, the safety-related parameters of individual components come into play.

Function and validation of ‘Safety-Related Parts’

What risks does a machine pose? This should be among the first questions asked during the machine design phase. It can be assumed that any hazard prevailing on a machine will eventually cause damage if protective measures are not taken. Therefore, all potential hazards must be identified early in development.

A comprehensive risk-and-hazard analysis can identify and assess risks posed by each potential hazard. If a need for risk-minimization is revealed, the standards above set out a hierarchy of measures to mitigate and minimize hazards to acceptable levels. This is done via design measures, protective devices and user information.

Risk parameters—including frequency, severity of injury, and avoidance tactics—must be evaluated for each hazard identified in the risk-and-hazard analysis. If possible, design measures will be implemented to minimize risk. But in many cases, design measures are insufficient, so protective devices are needed to obtain adequate risk minimization. It is within this context that safety functions executed by SRP/CS (Safety-Related Parts of a Control System) are defined.

SRP/CS measures include the entire safety chain of sensors (detect), logic (process) and actuators (switches). Safety functions are defined on the basis of both the application and the hazard. They are often specified as a Type C (product standard), which sets out precise specifications for special machines. In the absence of a C standard, safety functions are defined by the machine designer.

The design of a safety-relevant control function must be validated by showing that the combination of safety-relevant parts for each safety function meets applicable requirements. That’s one important reason to select machine suppliers whose products that require functional safety engineering are already certified to new standards. Today, powerful software tools are available to support safety engineering and validation. One, called SISTEMA, is provided free of charge by the Institute for Occupational Safety and Health, a Germany-based group that helps organizations solve scientific and technical problems related to occupational safety and health.

SISTEMA can be used to determine the achieved performance level in a machine. Dialog boxes guide mechanical engineers through the process of creating individual safety functions in a project and entering the safety-relevant parameters for individual disconnecting paths. Parameters for all components in the safety chain (sensor, logic and actuator) must be entered. The tool then calculates respective and aggregate performance levels.

Some machine manufacturers take the tool to the next level by providing a SISTEMA library of its components which have been certified to the latest standards. The library can be integrated into a project and utilized without having to determine and enter individual safety-related parameters for each drive component. This saves time and avoids erroneous entries.

Control of safety functions

The moving parts of a machine typically pose the most risk to plant personnel. As noted, the primary purpose of all safety standards and functions is to safely limit the motion of the drive on demand or in the event of an error. The most effective design approach is to intervene at the place in the machine where the dangerous movement originates, which is directly in the controller.

Drive-based safety is the integration of functional safety tools in the drive that specifically guard against uncontrolled movement. In the event of anomalous movement, the corresponding ability to stop drives is significantly faster than manual or conventional solutions employing safety relays, speed monitors or contactors. Drive-based safety can also simplify machine control systems, thereby reducing cost and expediting the assessment of risks and hazards.

Integrated drive-safety features generally fall into three categories—safe stop functions, safe motion surveillance functions (which may trigger a stop function in the event of a fault), and means of activation, such as safe inputs or a safety bus system. The safety chain comprises sensor input (light bar, emergency stop button, safe feedback), logic (PLC) and actuator or output (a drive with integrated safety functions).

Clearly, stop functions are among the most critical. According to the situation, the drive is shut down in a technically redundant, safe fashion by means of the safe torque off (STO) mechanism. This prevents the inverter from generating a rotating field that would produce a torque in the motor. Depending on the application, integrated safety functions might include any or all of the following:

• Safe torque off
• Safe stop
• Safe maximum speed
• Safely limited speed
• Safe jog mode
• Safely limited increment
• Safe direction
• Safe speed monitoring

Building on this basic framework, the latest drive-safety modules feature higher-order safety functions, such as safely limited speed and safe direction, with variations including safe operational stop, as well as safe inputs and outputs.

Not that long ago, conventional solutions for drive safety typically required additional external components. This is no longer the case. Drive-based safety gives greater clarity to safety technology and implementation, which simplifies system structure and reduces system cost. External components—such as safety switches, speed monitor, guards or a second sensor system for safely limited speed—are not needed. From a functional point of view, faster shutdown on command or in the event of an error means an increase in safety. Because the safety technology provides status information available in the servo inverter and, therefore, in the PLC, there is also an improvement in the diagnostic possibilities.

The best engineered safety designs break down complex barriers. Drive-based safety reduces space requirements, wiring and hardware needed for external safety engineering. Moreover, the machine operator has the benefits of transparent safety parameters programmed right into the controller. These high-performance drive systems are available in small, modular packages, with safety functions integrated in the drive and even on optional pluggable modules. Safety modules enable tailor-made scalability with different grades of safety, depending on the application and validation standards. Using modular and scalable drive components also means the system is open to subsequent changes to accommodate future safety standards.

Staying ahead of the safety curve

An overarching goal for a maintenance professional is to protect human operators, machines, materials and the plant environment, while maintaining ease of operation and accomplishing these aggregate objectives at a competitive cost. Operating safely at higher performance dynamics calls for uniform safety concepts at the component, machine and system design levels.

With the arrival of new machine designs are safety regulations that place responsibility for machine safety more squarely on the machine manufacturer. The safety landscape, especially in manufacturing, is set to change dramatically. For machine builders, the more stringent standards mean design changes and an increased workload with regard to certification of products. And while the new standards don’t necessarily mean more complexity, they do underscore the importance of using all of the design strategies and tools available to achieve the highest level of safety. MT

Information in this article was supplied by Craig Dahlquist, Automation Team Supervisor, Lenze Americas.